I have a few general questions regarding the security of data transfered from the client to the server of a web site.

What ive read:
Ive been reading about SSL, session ID's and Encription. Was reading how anyone running a sniffer can sniff your network data and if the data is not ecripted it can be used. And how when linking to a site they can catch session IS in their reffer logs and use this to gather usernames and passwords and other important data.

My Situation:
My site does not have anything where credit cards, addresses or other more important data is being submited but I am makeing a discussion fourm where curently im working on the sign in part of it. So usernames and passwords would be submited via form POST data and once it gets to my server I encript it useing DES encription.

My questions are:

1) For my particular case where only site passwords and usernames are sensitive data, Can I get away without useing SSL?

2) Ive been reading about self signed SSL certificates, and openSSL and freeSSL. Are these SSL alternitives just as secure as SSL itself and do you recomend it?

3) If network data can be easily sniffed what would be the purpose of me encripting the data server side since it was already sent unencripted, other then some script kidde with local access to my files.?

4) Can you recomend other ways I can secure my data, and posibly sugest another SSL alternitive?

May 20th, 2003, 03:54 PM

Networker

Quote:

3) If network data can be easily sniffed what would be the purpose of me encripting the data server side since it was already sent unencripted, other then some script kidde with local access to my files.?

SSL aims to authenticat the client. The one that can be sniffed is the client & from ur stand point u can not prevent usurping access!

Ammo wrote:
The security of SSH, PGP, etc relies in the "off-band" validation of the signatures of the exchanged keys. In SSH for example, when you first log on to a remote server, you're prompted with the key-signature of the remote server; in theory, you would validate that signature with the administrator of the server via an "off-band" mean (ie other than the internet; by phone or snail-mail for example). The same holds with PGP public keys; recent PGP even show the key signature as a series of dictionnary words that you can easily read to someone by phone to validate. Of course, most people don't bother validating the keys, hence the security risk, but that's not really the protocol's fault, more of a human error...

May 20th, 2003, 05:52 PM

journy101

Thank you for the link to your thread, will check it out now.

I was thinking of geting a 30 day trial SSL certificate as I found a site that offered that, but found that my web server software does not yet have a way to generate a certificate sign request, as I was reading you need this then a CA signs it. So I was thinking of an alternitive like openssl since I dont have the money to purchase sertificates and realy am only doing this for my learning purposes and not for people to buy stuff off my site.

May 20th, 2003, 05:57 PM

proactive

Re: Some questions regarding SSL and client to server data transfer

Quote:

Originally posted here by journy101
1) For my particular case where only site passwords and usernames are sensitive data, Can I get away without useing SSL?

Not really.

Quote:

2) Ive been reading about self signed SSL certificates, and openSSL and freeSSL. Are these SSL alternitives just as secure as SSL itself and do you recomend it?

SSL is only a specification for secure HTTP, a way to enable secure browsing on the internet. FreeSSL seems to be a provider of certificates, openSSL is a encryption programming library and signed SSL certificates are digitally signed certificates. All of these are using the SSL specification, they are not in any way related to a different specification. SSL is enabled in browsers and webservers, it's not something you have to care about. You only need a certificate for your webserver, you can get that from a certificate provider or genereate your own using a CA-server. Note that if you generate your own, the browser will pop up a warning message everytime it logs onto your sever. But the data will still be encrypted.

Quote:

3) If network data can be easily sniffed what would be the purpose of me encripting the data server side since it was already sent unencripted, other then some script kidde with local access to my files.?

If you enable SSL the browser will also encrypt the data. Nothing is sent unencrypted.

Quote:

4) Can you recomend other ways I can secure my data, and posibly sugest another SSL alternitive? [/B]

On the web SSL is the only way. You can't choose SSL, you can only choose browsers and servers. Apache and IIS use different implementations of SSL, so does IE and Opera. And you can choose certificate provider. Verisign is an alternative.

May 20th, 2003, 06:03 PM

Networker

[Quote]proactive wrote:
If you enable SSL the browser will also encrypt the data. Nothing is sent unencrypted.
[Quote]
At connection start, the login/password is!

What noia was talking about is that when you log onto a server you cannot really know that the server is the one you expect it to be. Which means some protocols are vulnerable to man-in-the-middle attacks. SSL usually isn't, because the server certificate will have to be issued by some well-know provider, else the browser will pop up a warning message. Most people don't care about the message, though, and that makes SSL vulnerable to man-in-the-middle as well. But it's still a little better than PGP.

Still the data is encrypted, but the wrong machine is in the other end.

May 20th, 2003, 06:58 PM

journy101

Thank you everyone that clerifys things for me.

Im going to go read about a CA-server now as proactive sugested as a means for me to get signed certificates, since Im only doing this for learning only, i dont mind if my broswer issues a warning. Im learning alot already about client-server security.

Running a web server realy helps me security wise as It has made me more cautious of things.

P.S. for those who have been following my posts and know that im makeing my own discussion fourm simular to antionline but private. I have now got the invite, signup and aproval scripts writen and working. Now working on my login script and then onto my actual form.